A token is used to authenticate portal members. When a user attempts to access the portal, they provide their user name and password. ArcGIS Enterprise verifies the supplied credentials, generates a token, and issues a token to the member.
A token is a string of encrypted information that contains the user's name, the token expiration time, and other proprietary information. When a token is issued to the member, they can access the portal until the token expires. When it expires, the member must provide their user name and password again.
There are three different types of tokens used within the portal:
- ArcGIS token—A token generated through the sharing/rest/generateToken endpoint.
- OAuth access token—A token generated through the OAuth2 authentication workflow.
- OAuth refresh token—A token used to generate new OAuth access tokens when they expire.
When generating a new token, it's recommended that you specify an expiration time for the token. The maximum value that can be chosen depends on the type of token being generated.
- ArcGIS token—14 days (20,160 minutes)
- OAuth access token, when created with the Implicit or Client Credentials grant types—14 days (20,160 minutes)
- OAuth access token, when created with the Authorization Code grant type—30 minutes
- OAuth refresh token—90 days (129,600 minutes)
If an expiration time is specified that is greater than these values, a token will still be generated but will have an expiration matching the maximum value that can be created for that type of token. If an expiration time isn't specified when generating a token, a default value is used that varies for each type of token:
- ArcGIS token—120 minutes
- OAuth access token, when created with the Implicit or Client Credentials grant types—120 minutes
- OAuth access token, when created with the Authorization Code grant type—30 minutes
- OAuth refresh token—2 weeks (20,160 minutes)
These maximum and default values cannot be increased and can be decreased by setting the maxTokenExpirationMinutes property in the ArcGIS Portal Directory. The value for the maxTokenExpirationMinutes property applies to each type of token. If that value is less than the maximum value but greater than the default value, only the maximum value will be impacted, and the default value will stay the same. If the value is less than both the maximum and default values, both values will be affected, and the maximum and default values will match what is defined in maxTokenExpirationMinutes.
Although these values may be appropriate for your organization, it is important to consider the security implications behind a token. A token with a longer expiration time is less secure. For example, a token intercepted by a malicious user can be used until the token expires. Conversely, a shorter expiration time is more secure but less convenient, as members may need to enter their user name and password more frequently.
To change the maximum token expiration time for all three token types, follow the steps below. The value you specify applies to all portal members; you cannot specify different values for specific members or only administrators.
- Sign in to the ArcGIS Portal Directory as an administrator of your organization.
The URL is in the format https://organization.example.com/<context>/sharing/rest
- Click Portals > Self.
- Scroll to the bottom of the page and click Update.
- Update the Max Token Expiration Minutes field with the desired value (in minutes). For example, enter 1440 to specify an expiration period of one day.
- Click Update Organization to apply your changes.